Headline Ransomware Statistics
- The volume of ransomware attacks dropped 23% in 2022 compared to the previous year.
- In the first half of 2022, there were an estimated 236.1 million ransomware attacks globally.
- There were 623.3 million ransomware attacks globally in 2021.
- Ransomware accounted for around 20% of all cyber crimes in 2022.
- 20% of ransomware costs are attributed to reputation damage.
- 93% of ransomware is Windows-based executables.
- The most common entry point for ransomware is phishing.
- Organisations in the US are the businesses most likely to be affected by ransomware, accounting for 47% of attacks.
- Ransomware was the most common attack type for the manufacturing industry in 2021.
- 90% of ransomware attacks fail or result in zero losses for the victim.
Ransomware is a type of malware that blocks a victim’s access to their data until a ransom is paid. While not as common as phishing, ransomware is still a major threat to individuals and organisations worldwide. In 2021, more than a third of organisations globally suffered an attempted ransomware attack.
2021 saw 623.3 million ransomware attacks worldwide, an increase of 105% over 2020 figures. This can partly be explained as businesses continued to experience issues adapting networks and supply chains for remote and hybrid work. These are not all successful attacks, but rather attempted breaches.
In 2022, the volume of ransomware attacks dropped 23%, indicating that increased government scrutiny and general awareness of the dangers are having an effect.
However, attack methods are evolving. ‘Traditional’ ransomware techniques involved encrypting target data and charging victims a fee for the decryption key. Now, cyber criminals are threatening to release or sell the data if the ransom isn’t paid in so-called ‘double-extortion’ schemes.
Further extortion methods include Denial of Service attacks and harassment via email or phone. The use of all 4 techniques at the same time is rare.
Average ransomware demands have also seen dramatic increases in recent years. In 2021, the average ransomware payment rose 82% from 2020 to a record $570,000. This is after a 171% increase in 2020 to over $312,000.
High-profile ransomware attacks have highlighted the sophistication of modern cyber attacks and the dangers facing both organisations and individuals. In 2021, US-based meat production manufacturer JBS paid $11 million in ransom after an attack compromised its operations.
The cost of ransomware extends beyond the payment of the ransom. 20% of the costs are attributed to brand reputation damage.
However, this brand damage means reported ransomware infections may not reflect the actual number of successful attacks – organisations are keen to avoid bad publicity and the associated costs.
Therefore, estimating the number of successful ransomware attacks (attacks that resulted either in data leaks or ransom payments) is difficult. Analysis of websites known to be used by threat actors identified 2252 incidents in 2021, and a further 1858 from January to June 2022.
Between May 2021 and June 2022, there were an estimated 3640 successful ransomware attacks globally. As mentioned above, these ransomware statistics use publically reported figures; it is likely more ransomware victims haven’t reported breaches in security.
This supports the results from the research of 900 senior non-technical employees (CEOs, VPs and Directors). The research found that just 42% of companies would report a ransomware attack to both law enforcement and a cyber security incident response service.
60% believe that the media are exaggerating the threat that a potential ransomware attack poses. However, 64% have already been victims of at least one ransomware attack, of which 79% paid the ransomware group.
Of the 64% that have previously been attacked, 88% said they would pay the ransom again if attacked. In the same study, ransomware ranked the highest for the probability of attack at 66%, tied with data theft and ahead of cyber sabotage (62%), supply chain attacks (60%) and DDoS (60%).
Ransomware trends 2023
Ransomware is intrinsically linked with phishing
The latest ransomware statistics make it clear that phishing is the primary delivery method for ransomware. A recent report found that 75% of 1400 organisations surveyed suffered a ransomware attack, highlighting its continued prevalence in the business world. We offer more insights into the risks of phishing in our phishing statistics guide.
Of the 26% of respondents that had experienced a ‘significant’ increase in the number of email threats received in the last year, 88% were victimised by ransomware. This is far higher than the organisations whose email threats did not significantly increase, of which 65% experienced ransomware.
Rather than specifically stealing data with ransomware through phishing, the main aim of the initial phishing attack is to steal credentials. A study of 2249 social engineering incidents found that 63% resulted in compromised credentials, ahead of internal data (32%) and personal data (21%).
Using credentials means hackers can access internal networks as a ‘legitimate’ user. They can potentially escalate their attack undetected and deliver ransomware from within the network, encrypting and removing data before internal teams can respond.
The REvil ransomware group accounted for around 37% of all ransomware attacks committed in 2021. Formed in 2019, the gang operated for 31 months, operating REvil as ransomware-for-service that allowed criminals to use the software on a subscription basis.
The REvil group shut down in October 2021, making it one of the longest-running ransomware gangs – the average gang either shuts down or rebrands after 17 months.
During that time, REvil ransomware was used against thousands of businesses and individuals globally. This included an attack in 2020 on then-President Donald Trump, threatening the release of sensitive documents if a $42 million ransom wasn’t paid. It is not clear whether they actually had hacked any data relating to the President.
One high-profile attack occurred in 2021, when REvil claimed they had stolen data relating to new products by Apple, including schematics for an upcoming Macbook Pro. The group demanded $50 million as ransom.
Phishing appeared to be the primary delivery method for REvil ransomware. IBM’s X-Force observed that incidents involving REvil in 2021 often started with a ‘QakBot’ phishing email. This email would have a message urging the target to resolve an unpaid invoice or something similar. In some instances, hackers would hijack ongoing conversations to insert a malicious link.
When opened, the target would be instructed to unknowingly enable the QakBot banking trojan to be dropped into a system. REvil threat actors could then take command of the operation, conducting reconnaissance before attempting to compromise data.
- In the first half of 2022, there were around 236.1 million ransomware attacks globally.
- During 2021, at least 15.45% of internet users worldwide experienced at least 1 malware-class attack, which includes ransomware.
- Kaspersky reported that ransomware attacks were defeated on 366,256 unique user computers in 2021.
- Ransomware accounted for around 20% of cyber breaches in 2022. For comparison, using stolen credentials (hacking) accounted for 40% of breaches in 2022, and phishing accounts for around 20%.
- The incident rate for ransomware attacks was lower in the US (7%) compared to the worldwide average (37%) in 2022.
- Just 13% of organisations reported suffering a ransomware attack and not paying the ransom in 2022.
- The FBI reported an increase in the number of ransomware attacks during holidays and over the weekends (days that the FBI offices are closed).
- The FBI’s Internet Crime Complaint Centre (IC3) reported receiving 2084 complaints relating to ransomware incidents between January-July 2021, with losses amounting to $16.8 million.
- At least 130 different ransomware families have been uncovered. Gandcrab is the most active family, with 78.5% of reported attacks attributed to it.
- The top 10 countries most affected by ransomware attacks are:
- South Korea
- Focusing on just organisations, the top 5 most affected countries are:
- USA (47%)
- Italy (8%)
- Australia (8%)
- Brazil (6%)
- Germany (6%)
- 93.28% of detected ransomware files are Windows-based executables. The next most common file type is Android, at 2.09%.
- Ransomware accounted for 4% of cyber breaches in UK businesses in 2022.
- The most common entry point for ransomware attacks is through phishing, with 41%.
- Between 2020-2021, there was a 33% increase in the number of ransomware attacks caused by vulnerability exploitation.
- June experienced the most ransomware attacks in 2021, at 33% – this is a decrease on 2020 figures, where 50% of ransomware attacks that year happened in June.
- The top attack type against businesses in the manufacturing industry was ransomware in 2021, with hackers using this type in 23% of observed attacks. This was ahead of server access attacks (12%) and business email compromise (10%).
- In 2022, the UK-based National Cyber Security Centre coordinated responses to 18 high-profile ransomware attacks, including against the NHS 111 non-emergency number and South Staffordshire Water.
- 90% of ransomware attacks either fail or result in zero losses for the victim.
- 65% of Canadian companies expect to be hit by a ransomware attack.
- 11% of Canadian companies paid the ransom after suffering a ransomware attack.
- 12% of Canadian companies that were hit by a ransomware attack had their data leaked online.
- It’s estimated that, by 2031, a ransomware attack will occur every 2 seconds.
- The US-based IC3 received 2385 complaints from victims of ransomware, with losses amounting to more than $34.3 million.
- In 2021, ransomware attacks cost the US healthcare sector an estimated $7.8 billion in downtime alone. Over 19.7 million patient records were affected in 108 individual attacks during the year.
- A single attack cost a healthcare provider $112 million, including the cost of rectifying the breach, downtime and disruption to patients – some critical patients, such as stroke and heart attack victims, were re-routed due to the breach.
- Ransom demands in the attacks ranged from around $250,000 to $5 million.
- In the worst cases, disruption due to an attack took months to resolve. Those organisations that were more prepared, with regular data backups, experienced far less disruption to their services. The average time lost was around 6 days.
Notable ransomware attacks
Costa Rica ransomware attacks 2022
A series of ransomware attacks were launched against the Costa Rican government in 2022, forcing a national emergency to be declared as critical systems were crippled.
The cyber criminals launched two attacks. The first occurred from mid-April until May, with the digital tax service and IT systems relating to customs control as the main targets. According to estimates, 800 servers and several terabytes of information in the finance ministry were also impacted.
Due to the encryption of data and systems relating to customs control, trade in and out of the country was crippled. Losses from import and export businesses are estimated somewhere between $38 million and $125 million per day.
The ransomware group ‘Conti’ claimed responsibility for these attacks, demanding a $10 million ransom to avoid the data being leaked online.
The second attack targeted the Costa Rican Social Security Fund, which handles the country’s health service. More than half of the servers were impacted, forcing doctors to reschedule 7% of appointments in the first week following the attack.
A group using ‘HIVE’ ransomware were blamed for the second attack. HIVE has some links to Conti.
San Francisco 49ers ransomware attack 2022
In February 2022, the US NFL team, the San Francisco 49ers, suffered a ransomware attack against its corporate network. The BlackByte ransomware group listed the team as one of its victims on a dark web leak site.
The 49ers stated that the attack was limited to the corporate IT network, with systems like their stadium and ticket holders unaffected.
The BlackByte ransomware group, who claimed responsibility for the attack, first appeared in September 2021. They operate a Ransomware-as-a-Service model, renting out their malicious software to other threat actors who then carry out attacks. The first version of the software had a bug that gave a cyber security firm the opening to create a decrypter for anyone attacked by the malware. In response, BlackByte released an updated version that was used in the 49ers attack.
ION Cleared Derivatives ransomware attack 2023
On January 31st 2023, ION Cleared Derivatives, a division of ION Markets, suffered a ransomware attack that took its systems offline. These systems help automates the trading lifecycle of financial companies.
As a result of the attack, finance companies using ION were forced to confirm trades manually. Problems with data submissions meant that large trading companies were advised to estimate commodity prices and revise them later, in an attempt to avoid lengthy delays in reporting.
What is ransomware?
Ransomware is software that prevents an organisation from accessing its data until a ransom is paid. Examples include trojan viruses that copy the contents of a folder into a password-protected file and delete the original data. The password is only given when a ransom is paid.
More sophisticated methods allow cyber criminals to encrypt an organisation’s entire data infrastructure. An encryption key is provided once the ransom is paid.
How does ransomware work?
Ransomware works by blocking an organisation or individual’s access to their data. This happens either through software that encrypts the data, or the data is moved to another location.
In either case, access is only granted once a ransom has been paid. The sensitivity of the data that is stored in an organisation, such as personal employee details and intellectual property, means many pay the ransom to prevent further damage.
Ransomware is also successful against organisations as the attack can cripple their ability to function. By blocking access to important files and programs, staff cannot work, freezing or severely impacting operations.
This type of attack is also difficult to trace. Ransomware payments are usually made with cryptocurrencies, which are designed to be difficult to track.
How is ransomware spread?
Ransomware is spread primarily through phishing.
Cyber criminals send genuine-looking emails that prompt the target to follow a link or download a file. This then installs the ransomware on the device.
What is the WannaCry ransomware attack?
The WannaCry ransomware attack was a global cyber breach in 2017 that saw more than 200,000 computers in over 150 countries affected.
WannaCry was malicious software that targeted a vulnerability in unpatched versions of the Windows operating system. The hacking group known as ‘The Shadow Brokers’ exposed this vulnerability, which was called ‘EternalBlue’ and had allegedly been developed by the US National Security Agency.
Microsoft released a patch that removed the EternalBlue vulnerability. However, a lack of awareness or education on the importance of updating software meant many organisations and individuals worldwide ignored this patch.
As such, the impact of WannaCry was devastating, infecting hundreds of thousands of computer systems across the globe. The ransomware attackers encrypted data on the affected machines, demanding the victims pay the attackers $300 in Bitcoin to avoid having their data deleted.
WannaCry is estimated to have caused over $4 billion in damages worldwide. In the UK, the NHS had to cancel 19,000 appointments, costing the health service around £92 million.
What is DarkSide ransomware?
‘DarkSide’ is a hacking group that distributes ransomware-as-a-service (RaaS). This ransomware is rented on a subscription basis to other hackers (known as ‘affiliates’) with the original developers receiving a percentage of any profits gained from its deployment.
DarkSide emerged in August 2020, and has since been used in damaging attacks against organisations. On 7th May 2021, DarkSide forced Colonial Pipeline, a major gasoline pipeline running across east coast of the US, to cease operations after the ransomware encrypted critical computer systems.
Despite the ransom of 75 bitcoins (around $4.4 million) being paid quickly, operations were still affected and caused a state of emergency to be declared in 18 states to deal with petrol shortages.
Law enforcement agencies launched an operation to recover the ransom. Since then, $2.2 million in bitcoin has been found linked to individuals using DarkSide ransomware.
How often do ransomware attacks occur?
There were 236.1 million ransomware attacks worldwide in the first half of 2022.
Through 2021, there were 623.3 million ransomware attacks globally. This doesn’t mean every attack was successful, but it does highlight the prevalence of this cyber threat.
How many people are affected by ransomware?
71% of organisations worldwide were reportedly affected by ransomware attacks in 2022.
Data breaches through ransomware can affect anyone. While ransomware groups typically target organisations as more lucrative targets, around 3700 individuals reported falling victim to successful ransomware attacks in 2021. However, this number is likely higher as many victims won’t report losses. This amounted to $49.2 million being stolen from internet users throughout 2021.
How many malware attacks were there in 2022?
There were an estimated 2.8 billion malware attacks in just the first half of 2022.
In the first half of 2022, there were 2.8 billion malware attacks. ‘Malware’ includes any sort of malicious software, including ransomware, viruses, trojans and worms.
What percentage of all current cyber attacks are classified as ransomware?
20% of all current cyber attacks are classified as ransomware.
Ransomware accounted for a fifth of all cyber attacks in 2022. The use of stolen credentials accounted for a further 40% of attacks over the same period.
What causes a ransomware infection?
The main causes of ransomware include phishing, poor user practices and weak passwords.
41% of ransomware attacks use phishing as the delivery method. These malicious emails contain a link which, when clicked, could download the ransomware or take the target to a spoof website, where the hackers can see any details they enter. A study of more than 2000 cyber attack victims found that 63% had their credentials compromised, which could be used in further attacks to gain entry into business networks and inject ransomware.
IDC, Palo Alto Networks, JBS, Statista, SonicWall, Accenture, ENISA, Kaspersky, Mimecast, Verizon, IBM, NBC News, The Guardian, VirusTotal, FBI, UK government, CPS, Cybersecurity and Infrastructure Security Agency, Trend Micro, CNN, Surfshark, Wired, Sophos, The Record, Conceal, Comparitech, ION Group, Wall Street Journal
Browse more articles from our experts and discover how to make better use of IT in your business.
As the most common form of cyber crime, phishing affects both individuals and businesses. Find out how attack vectors and trends are developing with the latest phishing statistics.
Read the latest cyber crime statistics, updated for September 2023, and see how the threat landscape has changed in recent years.
Cloud computing has transformed both the business world and our personal lives. Find out how the cloud is evolving with the latest cloud computing statistics, updated for September 2023.